You have the downstream devices pictured as firewalls in the diagram. If they are, do those firewalls have a policy that allows the inbound connection from any address via their zone facing the SSG.
Since the snat version of the policy works, can you confirm the default route on the downstream devices is actually up and active.